https://k5wiki.test.kerberos.org/wiki?action=history&feed=atom&title=Release_Meeting_Minutes%2F2012-04-17 2026-05-14T17:25:42Z Revision history for this page on the wiki MediaWiki 1.27.4 https://k5wiki.test.kerberos.org/wiki?title=Release_Meeting_Minutes/2012-04-17&diff=4594&oldid=prev 2012-04-17T20:14:15Z

<p>New page: {{minutes|2012}} Will Fiveash, Greg Hudson, Simo Sorce, Zhanna Tsitkov, Tom Yu == Encrypted timestamp preauth == ;Will: granularity of error handling on init_creds. Invalid password diff...</p> <p><b>New page</b></p><div>{{minutes|2012}}<br /> Will Fiveash, Greg Hudson, Simo Sorce, Zhanna Tsitkov, Tom Yu<br /> <br /> == Encrypted timestamp preauth ==<br /> <br /> ;Will: granularity of error handling on init_creds. Invalid password different from principal not found. Is reasonable to treat differently in terms of fallback? Maybe clients should know about KDC policies.<br /> <br /> ;Greg: n-strikes -- strikes are not against the person, but the account object. Purpose is to mitigate attacks. Some suggestions about tracking password failures by source IP address; that's not necessarily helpful due to spoofing, NATs, etc.<br /> <br /> ;Will: Errors from propagation delays -- either password changes or principal creation.<br /> <br /> ;Simo: Lockout counts are not replicated in AD.<br /> <br /> ;Greg: There's currently no protection against trying a KDC twice (1.3.1 master KDC behavior changes).<br /> <br /> ;Simo: Maybe they didn't know about lockout count independence. Or maybe pass info about which KDCs have been tried.<br /> <br /> ;Greg: Might want to track which KDCs you've talked to for other reasons, e.g. SAM preauth (causes KDC to create some state). Currently not enough state passed around; would need code rearrangement. On the bright side, sendto_kdc is a private interface, so we can change it more easily.<br /> <br /> ;WIll: Bug we introduced -- non-PKINIT preauth. Ended up sending encrypted timestamp preauth in first AS-REQ. If principal doesn't have a key for that enctype... Solaris was using aes256; principal didn't have AES key. KDC said preauth failed. Asked Microsoft whether it would be a strike (against password failure lockout); he said no. MIT gives preauth failed.<br /> <br /> ;Greg: Encrypted timestamp doesn't distinguish between wrong key and no key.<br /> <br /> ;Will: optimistic preauth<br /> <br /> ;Greg: So you don't want a &quot;strike&quot; in that case. Preauth failed ... Sam wanted to try different mechs. Retry once...<br /> <br /> ;Will: Additional data?<br /> <br /> ;Greg: Can define e-data. Encrypted timestamp doesn't.<br /> <br /> ;Tom: AD might send some non-standard errors.<br /> <br /> ;Will: Forwarded some messages to you. ETYPE_NOSUPP...<br /> <br /> == GSS extensions ==<br /> <br /> ;Simo: Nico sent message to kitten ... 2 weeks ago. Simon mostly in favor. No objections.<br /> <br /> ;Greg: Didn't see any serious objections. People wanted to make sure the exported form contained a reference to a store, not the actual creds. Project proposal, for documentation purposes at least. Github fork probably best way to contribute for now.<br /> <br /> ;Simo: Attributions wrong...<br /> <br /> ;Greg: Will manually attribute in commit; we'll work out policy for how to handle it for when we have done the git cutover.<br /> <br /> ;Simo: Will clean up and let you know.<br /> <br /> ;Simo: Export/import cred more important than partial sec context export.<br /> <br /> == IRC logging ==<br /> <br /> ;Tom: We're losing lopbot, so possibly no logging of #krbdev soon. Might get a minimal replacement for logging. Do people care about haps in logging?<br /> <br /> ;Will: Would be nice to have logs.<br /> <br /> == Release planning ==<br /> <br /> ;Will: Verify init creds -- pick based on keytab contents. Try all host/* principals. Will submit patch via git.</div>

TomYu